Major IE8 Flaw Makes "Safe" Sites Unsafe

← Back to Stories (view on slashdot.org)

Major IE8 Flaw Makes "Safe" Sites Unsafe

Posted by kdawson on Tuesday November 24, 2009 @10:32AM from the keep-your-scripts-to-yourself dept.

After this weekend's report of a dangerous flaw in IE (which Microsoft confirmed today), intrudere points out an exclusive report in The Register on a new hole in IE8 that could allow an attacker to pull off cross-site scripting attacks on Web sites that ought, by rights, to be safe from XSS. This is according to two anonymous sources, who told El Reg that Microsoft had been notified of the vulnerability a few months ago.

22 of 83 comments (clear)

See, Microsoft is right by Anonymous Coward · 2009-11-24 10:33 · Score: 5, Funny

IE8 is compatible with sites designed for IE6. You won't see other browsers going the extra mile like this.
1. Re:See, Microsoft is right by Penguinisto · 2009-11-24 10:52 · Score: 2, Insightful
  
  Strangely enough, I'm torn between demanding a funny mod or an insightful one for you.
  ...times like this that /. really need a "Funny-but-Damned-Clever" mod.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
2. Re:See, Microsoft is right by TheVelvetFlamebait · 2009-11-24 17:24 · Score: 2, Interesting
  
  We do. It's called -1 Troll.
  
  --
  You know, there is a difference between trolling and pointing out the flaws in your reasoning. Just saying.
Breaking News by BeaverAndrew · 2009-11-24 10:36 · Score: 5, Funny

Oh my gosh! Internet explorer is not safe to use? This is incredible hot, breaking news to me.
1. Re:Breaking News by palegray.net · 2009-11-24 10:52 · Score: 5, Funny
  I must dispute your view in the strongest terms possible. Internet Explorer is perfectly safe for everyday use. However, as there is no such thing as perfect security, you must take additional precautions to keep evil hackers away from your data. Apply these rules according to the sensitivity of your data, from least important to most:
  
  Disconnect your computer from your local network. Download files on another computer, scan them for viruses, print them out, scan them into your Windows PC using ORC software, and then view the pages in IE.
  Do the above, but have a priest onsite to bless each page individually before scanning it. This is an excellent deterrent against viruses with the word "demon" in the name.
  Do the above, but encase your PC in acrylic and immerse it in a 10,000 gallon tank of holy water. Interact with it while wearing scuba gear.
  Do the above, but put a lid on the tank and immerse it in the ocean. Interact with your PC via a submersible robot in the tank from from outside while wearing scuba gear.
  If you fail to follow these simple security guidelines, you can't blame Microsoft for the results.
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:Breaking News by Penguinisto · 2009-11-24 10:55 · Score: 4, Insightful
  
  Internet Explorer is perfectly safe for everyday use.
  As long as you follow the old US gov't C3 security guidelines/settings for Windows NT 4.0 while you do it, sure.
  
  --
  Quo usque tandem abutere, Nimbus, patientia nostra?
3. Re:Breaking News by dkleinsc · 2009-11-24 11:17 · Score: 3, Funny
  
  You forgot to do something to filter out those pages with the Evil Bit set (see RFC 3514).
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
4. Re:Breaking News by lorenlal · 2009-11-24 11:18 · Score: 3, Funny
  
  No no no... I think he's on to something there.
In other news by Dartz-IRL · 2009-11-24 10:37 · Score: 5, Insightful

Rain is wet....
Despite MS best efforts, IE just won't shake it's 'insecure' tag, will it?
Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.

--
So there I was, scribbling down some notes off the PC screen by hand, when I reached for the keyboard and Ctrl-S'd.
1. Re:In other news by palegray.net · 2009-11-24 10:43 · Score: 2, Funny
  
  Part of me wonders if perhaps these vulnerabilities aren't being made a big deal of because of the reputation of IE6. The rest of me which started using Firefox a long time ago just feels smug and superior.
  Dude, cutting yourself in half over a web browser seems a little extreme.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:In other news by erroneus · 2009-11-24 11:09 · Score: 3, Insightful
  
  The browser is a still an integral part of the OS. All else follows.
3. Re:In other news by selven · 2009-11-24 11:10 · Score: 2, Funny
  
  I agree, that is excessive. BTW, do you use vim or emacs? I want to know whether or not I should call the hit.
4. Re:In other news by lorenlal · 2009-11-24 11:23 · Score: 2, Informative
  
  As long as you have UAC enabled... Implying that you have Vista or Windows 7.
5. Re:In other news by quickOnTheUptake · 2009-11-24 11:31 · Score: 2, Informative
  
  You mean the article that only a single pie graph comparing browsers? And no discussion at all of where he got his list of vulnerabilities from?
  I don't think it is that they are selective, just that they refused to accept numbers on faith alone.
  
  --
  Mod points: Guaranteed to remove your sense of humor.
  Side effects may include gullibility and temporary retardation
6. Re:In other news by DJRumpy · 2009-11-24 12:34 · Score: 2, Interesting
  
  That's the clincher. I can only imagine how many corporations are in the same boat as mine. Tons of IE6 specific apps and XP due to the Vista fiasco. I'm still waiting for an IE upgrade, years after 7 and 8 have been released. It's about as insecure as you can get, yet they still use it.
  This alone should teach the dangers of relying on a single vendor too much. What's odd is they are actually very good about this on any other platforms, but they wear blinders when it comes to Microsoft products.
7. Re:In other news by DJRumpy · 2009-11-24 13:55 · Score: 5, Insightful
  
  Yes, after months or years of testing. Had IE been standards compliant in the first place, without all of the OS specific hooks, many companies wouldn't be in this boat.
  It is not an insignificant effort to get off of IE 6, especially without many thousands of users, and hundreds or thousands of apps that will break, or require testing under Windows 7's Virtual PC software.
8. Re:In other news by Zero__Kelvin · 2009-11-24 16:27 · Score: 2, Funny
  
  "Yes, because we all know the omni-secure firefox NEVER has a security vulnerability. At least IE runs sandboxed."
  I think you are going overboard there. Just because Microsoft IE engineers have their head in the sand, that's no reason to call the whole project sandboxed. You inspired me to write a little one question deductive reasoning test, just for you:
  
  Q: The degree and number of IE security problems compared to Firefox is like:
  
  A) The number of people starving in Ethiopia compared to the number of people who couldn't Super-Size their McDonald's order today
  B) The death toll in a plane crash compared to the death toll in a skateboarding accident
  C) The pain involved in being shot in the stomach by a twelve gauge compared to the pain of a hangnail
  D) All of the above
  
  Good luck, and don't forget to phone a friend if possible!
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
9. Re:In other news by Anonymous Coward · 2009-11-24 18:57 · Score: 2, Informative
  
  You didn't RTFA. The flaw is located in normal user-mode code. Nothing about the flaw is in any way amplified or exacerbated by any perceived OS integration.
  And for that matter, IE has been a normal program from day one, however much MS may choose to deny that. IE is only a part of the OS in the sense that its rendering engine is used by the help system and the like. Is Konqueror part of the Linux kernel? Of course not.
Redundant by gyrogeerloose · 2009-11-24 10:54 · Score: 3, Insightful

"IE8 Flaw" is, in and of itself, a redundancy.

--
This ain't rocket surgery.
Re:Ummm by lorenlal · 2009-11-24 11:24 · Score: 4, Funny

Please go to the "a new hole in IE8" article.
And if you're looking for the article to *read* it... yes, you are new here.
Re:IE8 is *not* vulnerable by praseodym · 2009-11-24 11:41 · Score: 5, Informative

Except, that was the FIRST security flaw linked in the article. The SECOND one (at The Register) is about a different security flaw, in the XSS filter. The XSS filter is new in IE8.
And, BTW, Google does indeed disable it so that they are not vulnerable to the flaw: their servers send a "X-XSS-Protection: 0" header.
That seems like a really strange thing to do... by argent · 2009-11-24 11:58 · Score: 3, Interesting

It seems to me that if the IE team is capable of telling that a combination of features is potentially dangerous, then why would they edit the source of the page to avoid triggering the vulnerability, rather than actually eliminating the vulnerability being attacked?